Monthly Archives: December 2012

From time to time, customers charge me to report about file access rights from the user account perspective, meaning a summary regarding the allowed and the denied file system accesses per user. Typically, administrators implement role-based access control (RBAC) using nested groups. Nested groups simplify the management of file system access and security audits. Individual user account only acquire access through group memberships that correspond with their business role (see also AGDLP). So much for theory! Over time, more and more exceptions prove the rule, and user accounts acquire access to file system ressources out of the RBAC concept. A few lines of PowerShell can help to distinguish between the good and bad apples.

The function below, Get-ResolvedAcl, leverages the ActiveDirectory module’s Cmdlets Get-Acl (to list explicit allow/deny access), Get-ADObject (to identify the objectClass of an Access Control Entry), and Get-ADGroupMember (to list the members of a group). Furthermore, a sub function called Get-ADNestedGroupMember calls Get-ADGroupMember recursively in order to identify user accounts in nested groups.

Disclaimer: I hope that the information in this post is valuable to you. Your use of the information contained in this post, however, is at your sole risk. All information on this post is provided “as is”, without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by me. Further, I shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

with this post I show how to set the paths of the Roaming Profiles and the Remote Desktop Services (RDS) Profiles, formerly known as Terminal Services (TS) Profiles, in a set of Microsoft Active Directory user accounts.

The easy part is the Roaming Profile path. You just need to leverage the ActiveDirectory PowerShell module from RSAT:

PowerShell

1

2

3

4

5

6

Import-ModuleActiveDirectory

$Filter=<defineafilterforGet-ADUserhere>

$Path=<define the roaming profile path here>

Get-ADUser-Filter$Filter|ForEach-Object{

Set-ADUser$_-ProfilePath$Path

}

The RDS Profile is not that easy. It’s easy too though. You just need to leverage ADSI in order to set the RDS Profile.

PowerShell

1

2

3

4

5

6

7

8

9

10

11

12

13

Import-ModuleActiveDirectory

$Filter=<defineafilterforGet-ADUserhere>

$Path=<define the roaming profile path here>

Get-ADUser-Filter$Filter|ForEach-Object{

$ADSI=[ADSI]('LDAP://{0}'-f$_.DistinguishedName)

try{

$ADSI.InvokeSet('TerminalServicesProfilePath',$Path)

$ADSI.SetInfo()

}

catch{

Write-Error$Error[0]

}

}

Disclaimer: I hope that the information in this post is valuable to you. Your use of the information contained in this post, however, is at your sole risk. All information on this post is provided “as is”, without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by me. Further, I shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.